Oracle has broken its silence to admit there are security issues with Java in web browsers - but it insists the tech is solid on servers and within mobile and desktop apps.
In a blog post published on Friday, Oracle noted the "media firestorm" around the recent Java vulnerability, admitting users may have been left "frustrated …

Re: Is there a more secure VM?

Re: Is there a more secure VM?

The vulnerabilities are not in Java VM (hotspot). The vulnerabilities are in the Java security policy system, that runs on top of the VM, as normal Java code.

The policy system works like this

- any operation provided by Java that accesses the resources or the environment of the host computer, or various sensitive operations within the Java runtime, are considered privileged

- programs always see and try to invoke those operations

- but the implementation of the operation queries the policy system, and checks if the operation is allowed

This is no different from what the operating system does. It provides all operations to all applications, but when the operations are called, the system policy checks whether the operation is actually allowed.

By default, for desktop applications, the Java policy allows all actions.

Now, when code is run inside the browser plugin, a very strict security policy is in place. It denies operations such as accessing local files, opening network connections, and so on. And what's important, it also denies operations that attempt to modify the security policy.

The vulnerabilities are in the policy system it self. The holes allow java code to turn off the policy system, and thus gain access to all privileged operations.

Crapware Payload

Oracle's Ask,com crapware payload is even more malignant than standard - if you accidentally leave the defaults enabled, you can't just go to CP - Add/Remove and uninstall. The installer routine is coded to wait ten minutes before inserting the entry on the Control Panel list.

It's clearly intended to prevent moderately experienced Windows users from undoing their errors when they clicked too fast through the installer defaults.

Oracle should be ashamed of associating itself wih such utterly scummy pracitces. It stinks.

Re: Crapware Payload

Re: Crapware Payload

Any user of Oracle products is used to their practices. There are times that they make CA seem good.

A friend of mine worked for CA, and he said that they aspired to be as evil as Oracle, but weren't competent enough to manage it.

Working for them was not a happy experience either. The saddest part was the people who left CA (possibly only joining after their company was bought out), and were in a company that CA subsequently also bought.. Then got made redundant. There were people who'd been through this cycle more than once.

Bag of shite

Oracle

Is just evil. From closing down the OpenSolaris project to aggressive corporate purchases to their almost complete disregard for their non-enterprise DB customers, they're evil to the bone. I used to think they were just incompetent, but it almost looks like deliberate negligence at this point.

On my wishlist then...

Re: On my wishlist then...

JRE is Java Runtime Environment (the interpretter), which can run on a number of devices, most commonly phones .e.g. JAR files, possibly even COD/ALX coded files? Just as SQLite appears to be a standard these days for phone databases?

Servers would, presumably, require the JRE in order to serve it to a client? :-/

Anyone believe Oracle these days?

Java

Okay lets get one thing straight. All the smart devs know that Java shops turn out shite. I could earn quite a bit as a Java dev but I don't want to be involved with actively making the world a worse place.

Re: somewhere

Re: somewhere

And the joke falls flat because saying companies x security practice sucks is much different than saying all developers of a product are idiots. Do you really want me to post all the drive by critical CVEs found in Adobe's products even in the last year? Pretty significant list and these days is even longer than Microsoft's which is bad when they make the OS and the good portion of the software on most desktops.

It's getting worse

The irony was that Microsoft's unofficial version of Java, once bundled with Windows, was generally OK. Then Sun sued Microsoft and the result is that we have to use the bloated, insecure, crapware-laden official version (anything that adds itself to the system tray and creates pop-up reminders is a fail in my eyes). I never install it when building a machine, and if a website requires it, I decide that I don't require that website.

The current irritation is that the latest release of Firefox prompts me to install an updated version of Java whenever I start it (on Windows, anyway - it's OK on Linux Mint). One day the wife or kids are going to do what FF asks and I'll have a crapware-infested system. Hopefully them being "limited users" will prevent this.